OpenEMR Arbitrary File Read Vulnerability in EtherFax Module

A vulnerability allowing authenticated users to read arbitrary files from the server filesystem has been identified in OpenEMR versions prior to 7.0.4. This issue arises in the 'disposeDocument()' method of 'EtherFaxActions.php', where user-supplied file paths are not properly validated, allowing access to sensitive files such as system configuration, database credentials, application source code, and personal data of other users. The vulnerability exists due to a lack of authentication checks, path validation, and direct file access via 'readfile()'.

Impact

Exploitation of this vulnerability allows for unauthorized reading of sensitive files, including system files, database credentials, application configuration files, source code, and personal data of other users. This represents a complete breach of data confidentiality.

Reproduction

To reproduce this vulnerability, authenticate to OpenEMR with valid credentials (any privilege level) and navigate to the EtherFax module. Once there, send a request to the 'disposeDocument()' method with a malicious 'file_path' parameter that points to a sensitive file, such as '/etc/passwd' or the OpenEMR database configuration file. The server will respond with the contents of the requested file, demonstrating the arbitrary file read vulnerability.

Remediation

Users can update to OpenEMR version 7.0.4 or later, where this vulnerability has been patched. Alternatively, the Fax SMS module can be disabled if not needed, and access to the module can be restricted via Apache configuration.